CVE-2020-15906
published 2020-10-22CVE-2020-15906: tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
27.36%
97.8th percentile
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tiki | >= 16.3 < 21.2 | 21.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
commandticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:2; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
&user=admin&pass=&
- →Exploit sends 50+ POST requests to /tiki-login.php with invalid credentials to trigger admin password blank-out, then authenticates with empty password. Detect a high volume (≥50) of POST requests to /tiki-login.php from a single source IP. ↗
- →The final exploitation step is a POST to /tiki-login.php with the body containing `user=admin` and an empty `pass=` field. This specific body pattern is the definitive indicator of the blank-password authentication attempt.
- →The exploit extracts a CSRF ticket from /tiki-login_scr.php before each login attempt. Monitoring for rapid sequential GET requests to /tiki-login_scr.php followed by POSTs to /tiki-login.php from the same session is a strong behavioral indicator.
- →Shodan/FOFA exposure query for identifying internet-facing Tiki Wiki CMS instances vulnerable to this CVE.
- →The exploit uses a fixed User-Agent string during the brute-force phase which can be used as a detection signal. ↗
- →Post-exploitation success can be detected by monitoring for authenticated admin sessions (e.g., access to /tiki-index.php returning 'System Menu', 'Settings') immediately following a burst of failed logins to /tiki-login.php.
- ·The exploit uses 50 threads (`threads: 50`) with a batteringram attack pattern, meaning all 50 payloads are fired concurrently. Detection thresholds should account for burst/concurrent requests rather than only sequential rate-limiting.
- ·The vulnerability affects Tiki versions before 21.2 only. Instances already on 21.2+ are not affected and should not generate false positives from the Snort rule in normal operation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)
suricata·2020-10-27·CVSS 9.8
CVE-2020-15906 [CRITICAL] ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)
ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:2; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_
Exploit-DB
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
exploitdb·2020-10-21·CVSS 9.8
[CRITICAL] Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
---
# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
# Date: 01.08.2020 (1st August 2020)
# Exploit Author: Maximilian Barz aka. Silky
# Vendor Homepage: tiki.org
# Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip
# Version: 21.1
# Tested on: Kali Linux 5.7.0-kali1-amd64
#!/usr/bin/env/python3
import requests
import json
import lxml.html
import sys
banner = '''
████████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██████ ██ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███ ███
██ ██ █████ ██ ██ █ ██ ██ █████ ██ █████ ██ ██
██ ██ ██ ██ ██ ██ ███ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ███ ███ ██ ██ ██ ██ ███████ ██ ██ ██
█████ ██ ██ ████████ ██ ██ ███████ ███ ██ ████████ ██ █████
Nuclei
Tiki Wiki CMS GroupWare - Authentication Bypass
nuclei·CVSS 9.8
CVE-2020-15906 [CRITICAL] Tiki Wiki CMS GroupWare - Authentication Bypass
Tiki Wiki CMS GroupWare - Authentication Bypass
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Template:
id: CVE-2020-15906
info:
name: Tiki Wiki CMS GroupWare - Authentication Bypass
author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu
severity: critical
description: |
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
impact: |
Unauthenticated attackers can trigger 50 failed login attempts to reset the admin password to blank, gaining complete administrative access to the Tiki Wiki CMS and all its content.
remediation: |
Upgrade to Tiki Wiki CMS version 21.2 or later.
reference:
- https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authe
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.htmlhttps://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.htmlhttps://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3
2020-10-22
Published